Changing DAG properties causes username password error

After an import of our Exchange 2013 CU9 environment in a test environment every configuration attempt to the Database Availability Group results in the following error:

Error: Cluster API failed: "ClusterResourceControl(controlcode=CLUSCTL_RESOURCE_SET_PRIVATE_PROPERTIES) failed with 0x52e. Error: The user name or password is incorrect"

The AD servers were imported. The Exchange servers were imported. Database copies have been removed, only the primary database has been mounted. The filewitness has been imported. But when i open the Failover Cluster Manager the filewitness appears offline and changing the configuration of the dag ( adding or removing servers etc) results in the following error.

I would appreciate your thoughts.

Best regards,

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AmitIT ArchitectCommented:
You cannot do Exchange import in test. You need to perform server recovery. I assume you are trying to restore prod Exchange server in test. If yes, then follow this:

1) If you have VM AD server, then do a cold clone from the prod.
2) Bring AD server up in the test. Isolated from prod.
3) Now Seize and transfer FSMO.
4) Remove all names server from DNS and make sure only DC you restore in test is the name server. I assume you have DNS running on AD.
5) Run nslookup and confirm that, it should resolve to only test DC.
6) Now install new member or Exchange server in test domain with same name as in prod you want to restore.
Note: Make sure to keep disk and hardware config same as prod  Exchange server.
7) Reset Computer object in AD and join the member server.
8) Now install all pre-requisites.
9) If you are restoring DAG member, then you need to perform clean up for other db's and servers using ADSIedit.
10) Finally, install server with /m:recoverserver
11) Restore DB from back and mount it.

Let me know, if you have further query.
Amit KumarCommented:
Did you changed Cluster service with another user? Seems that account has problem with authentication.
mailbeheerAuthor Commented:
@Amit Kumar: Thanks for your reply. The cluster service is running as "local system".
I didn't change this.

@Amit: I have imported the Exchange environment a couple of times in the past. No problems what so ever. As long as a copy of the current AD is imported along with the exchange servers all features stay online. The only thing we change in the Test Environment is the content of the databases. We only clone the system drive of the exchange servers and later recreate the Log, TransactionLog and Database partitions. After removing databasecopies and mounting the database a clean/empty instance of the database is created. All Mailflow comes online and every option seems to work. The only difference now with a earlier import is de DAG configuration. Before we were running without a DAG and thus without clustering.

Every change in the configuration in Exchange is accepted and executed without failure. The only configuration option that end in an error is the database availability group. Example; Changing Witness Server, Removing a DAG Member when quorum is affected. We have 8 servers and a witness server. Removing 1 member from the dag is accepted but removing another ends in the provided error.

Please give my your thoughts.


Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

AmitIT ArchitectCommented:
I did DAG server recover several times in test and the method I follow, I explained above. DAG will be bit different, as you might not be recovering all servers, hence clean up is required. Else, Exchange won't start as it will be searching for other members. If you have CAS and MBX on same server in prod, restore that server. If roles are on separate server, then you need to recover 2 servers.
mailbeheerAuthor Commented:
After a long search we re-imported the AD. After this import (without password change) the entire environment came back to life. I seems that one of the useraccounts had a refenence to the dag which became brook after the password change of all AD accounts in our testenvironment. I'm currently testing what accounts we can safely change without problems.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mailbeheerAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for mailbeheer's comment #a41231885

for the following reason:

came to this conclusion without help by provided comments.
AmitIT ArchitectCommented:
I suggested right solution in my first post.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.